Back in the days before online banking, the biggest threat of fraud involved someone printing fraudulent checks or forging signatures. With the emergence of the Internet and, more recently, smartphones, however, the threat of online fraud has become both multifarious and increasingly difficult to combat. Moreover, according to Martin Romain, senior vice president and general manager of FIS Risk, Fraud and Compliance Solutions, the threat is beginning to mirror that found in the credit/debit card industry.
What should banks do? In Romain’s view, banks need a robust strategy for mitigating fraud, as well as a new level of investment in both technology and people — just to stay ahead of the curve.
“With the introduction of new channels for conducting transactions, such as remote deposit capture, online banking and mobile banking,” Romain said, “threats in the ‘consumer not present’ environment are increasing rapidly. We are now seeing threats to traditional banking transactions from remote criminals similar to what the card industry has seen for years: highly organized attacks from all over the world via multiple channels.”
Although Romain believes the gap between large banks and community banks has narrowed in terms of fraud awareness, he also expresses concern that banks are not as prepared as they should be. In addition, many banks, in an effort to extend their service offerings, such as mobile banking, have not conducted adequate due diligence in terms of assessing their increased fraud exposure. One area that needs more attention, for instance, is non-monetary account activity, such as changing account information or passwords.
“Non-monetary activity can be a leading indicator of fraudulent activity waiting to happen,” Romain said, “and yet many organizations either ignore or are incapable of capturing and acting upon these indicators. Disparate and seemingly unconnected events — or non-events — associated with an address change request, a password change request and, for PIN-enabled environments, a PIN change request over an indeterminate period of time, can be strong indicators of account takeover or ID theft.”
Banks must not become lax in the battle against fraud because the threat continues not only to escalate across an increasing number of banking channels, but also to become more sophisticated and difficult to detect.
An important first step in this battle is to form a central unit with responsibility for reacting quickly to fraud trends and preventing losses. Romain recommends that this unit have direct profit and loss responsibility for its technology and operational expenses, as well as authority for the resulting charge-offs from fraud attempts.
Next on the to-do list is conducting a thorough assessment of current legacy applications for detecting and preventing financial crimes, beginning with a look at the bank’s current product mix, such as remote deposit capture, online banking or wire/ACH services.
“From there,” Romain said, “understand the risk dynamic each channel/service represents. Compare that to your current capabilities, both from a staffing and a technology perspective, and identify gaps. You can prioritize your gaps based on exposure. This does not have to be a complete ‘rip and replace’ proposition.”
Looking ahead, the banking industry will eventually need real-time fraud detection to ensure maximum effectiveness in blocking fraudulent transactions. “Real-time funds availability and faster payments have become realities,” Romain said. “The consequent reality is that Day 2 fraud processes will become obsolete in a very few years. And next-generation technology requires the ability to adapt and grow as market dynamics continue to change to justify any investment.”
Michael Scheibach is executive editor of BankNews.
Copyright © July 2011 BankNews Media